Ok, been finding addresses alright but once they put out a patch everything goes to crap. What I've seen is the offsets stay the same but the base addresses change. What do you look for when finding patterns around or in the addresses that contain the pointers you're looking for?

Any tips you have would be great. Right now I'm surviving with pointer scans using known offsets.

Download OllyDbg. Open up the process, make sure that the executable is selected (as, under 64-bit OSes, it runs through a compatibility layer) and search for a constant (right click in the CPU menu). Search for the static address you've found. Hopefully you will find something. Now, you construct a pattern out of the code in that area.

Administrator wrote:Download OllyDbg. Open up the process, make sure that the executable is selected (as, under 64-bit OSes, it runs through a compatibility layer) and search for a constant (right click in the CPU menu). Search for the static address you've found. Hopefully you will find something. Now, you construct a pattern out of the code in that area.

Ok well I have the first bits no worries but just trying to construct a pattern.
Can't find any options for doing that.

Remember no matter you do in life to always have a little fun while you are at it

There is no option. You do it yourself. First, you should (but don't necessarily need to) have Olly analyze the code (CTRL+A). Find the section you want to construct a pattern for. For example, you'll get something like this:

Ahh ok now I understand what you mean, ai also had a look in your update.lua for rombot, made it alot easier to understand =)

I think the trouble I am having is this.
in Olly top left window shows addresses to 008C8FFF
bottom left shows addresses from 00998000 to 00A6FFF0
The addresses I am searching for are after the 008C8FFF so when I do a search in that section I don't get the actual address I get what I guess are pointers that use the address. So the bytes I see arn't for the actual address.

so would be bytes of
0x8B, 0x0D, 0x90, 0x93, 0xA0, 0x00
mask of
xxxxx?

And doing a search for this after an update wouldn't work as those bytes are made up from the address A0 93 90 just in reverse 90 93 A0 and since the address would have changed then searching for this wouldn't do any good lol

but like I said that's not the actual address, was just showing I knew what you meant with the bytes and mask =)

I think I must be loading file wrong? or have some settings wrong?

Remember no matter you do in life to always have a little fun while you are at it

so would be bytes of
0x8B, 0x0D, 0x90, 0x93, 0xA0, 0x00
mask of
xxxxx?

Somewhat right. As you've seen, the address is there, but backwards. That's actually normal. I forgot to mention endianness.

Your mask is off. the address (the last 4 bytes) are dynamic; we expect them to change. Since they change, you don't want to match them, and should use the wildcard(?).
That would also be a bad pattern. There's going to be thousands of instances of 0x8B 0x0D in the client. You've got to include additional lines to make sure it will be unique.